Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Akira’s ransomware-as-a-service operation has been highly active in seeking out Australian targets – here’s what network defenders need to know about the hackers’ recent activity.
Threat analysts at cyber security firm Barracuda have observed a change of tactics employed by the Akira ransomware-as-a-service operation, moving away from bespoke malware tooling to living-off-the-land techniques.
“Barracuda’s Managed XDR team recently mitigated an Akira ransomware attack that tried to evade detection by exploiting tools in the target’s infrastructure rather than bringing its own known arsenal, and disguising its malicious activity as everyday IT,” Barracuda said in a 25 September blog post.
Akira’s been known to target Australian organisations, and it’s been recently observed taking advantage of a vulnerability in SonicWall firewall devices to do so. This latest twist to its tactics makes Akira even more of a threat.
The first part of the hackers’ attack chain was picking their time to act. In this specific instance observed by Barracuda, the threat actor chose to target its victim’s network at 4am on a public holiday, a slow time for the company in question, but a perfect time to mask malicious activity.
The Akira affiliate was able to gain access to a domain controller before pivoting to a version of the Datto remote monitoring tool that had already been installed on the controller.
“The attackers used the Datto RMM to remotely push and execute a PowerShell script from its Temp folder, running with an ‘execution policy bypass’ that allowed it to skip PowerShell’s built-in safety checks,” Barracuda said.
“The script was executed with system-level privileges, giving it full control over the infected server.”
The threat actor then used encoded PowerShell commands to run additional tooling, including several disguised scripts, alongside a handful of unknown executables installed in trusted directories to avoid detection.
Several disguised scripts, alongside a script to change firewall rules, were also installed in a “staging area” created by the attacker on the device. Registry changes were made to further obfuscate the activity, before the attacker stopped the Volume Shadow Copy Service, just before it attempted to deploy a ransomware payload to encrypt the victim’s data.
By 4:54am, almost an hour after the attack began, the ransomware payload began to encrypt files. The attack was detected by Barracuda’s XDR solution, which was installed on the device. The attack was stopped in its tracks, and the system isolated.
“The attacker’s activity closely mirrored what a backup agent might legitimately do during scheduled jobs. This made everything look like regular IT activity,” Barracuda said.
“Akira is a clever and inventive RaaS – the developers behind the malware don’t follow a fixed playbook. Their tactics change regularly, which makes it harder to catch them in the early stages of an attack because they don’t match known attack signatures.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
